Edit tour

Windows Analysis Report
EXPORT INVOICE.pdf.scr

Overview

General Information

Sample Name:	EXPORT INVOICE.pdf.scr (renamed file extension from scr to exe)
Analysis ID:	625078
MD5:	2cf09341b87d20404a6d824305ea5419
SHA1:	ec9de894d7cb09ed3940db31dfc7a39cc1280acd
SHA256:	2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Initial sample is a PE file and has a suspicious name

Uses an obfuscated file name to hide its real file extension (double extension)

Machine Learning detection for sample

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Classification

Process Tree

System is w10x64

EXPORT INVOICE.pdf.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe" MD5: 2CF09341B87D20404A6D824305EA5419)

WerFault.exe (PID: 5336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: EXPORT INVOICE.pdf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: EXPORT INVOICE.pdf.exe	Virustotal: Detection: 37%			Perma Link
Source: EXPORT INVOICE.pdf.exe	ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: EXPORT INVOICE.pdf.exe

Joe Sandbox ML: detected

Source: EXPORT INVOICE.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: EXPORT INVOICE.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Core.ni.pdbRSDSD source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Accessibility.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: .pdb08 source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: (P5oLC:\Windows\Microsoft.VisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbH source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb4" source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: np@oVisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERC3FE.tmp.dmp.7.dr

Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.370373493.000000000867D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wM
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comionm
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371160843.000000000867D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com;
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comW
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comWT
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnD
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cndnl
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.379986920.000000000864D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.379854422.000000000864E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comrmW
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371908716.0000000008647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.373268434.0000000008648000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.373229768.0000000008647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: EXPORT INVOICE.pdf.exe
Source: initial sample	Static PE information: Filename: EXPORT INVOICE.pdf.exe

Source: EXPORT INVOICE.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: EXPORT INVOICE.pdf.exe	Binary or memory string: OriginalFilename vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.364000331.0000000000FB2000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameIRuntimeEvidenceFact.exe< vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412654077.000000000A0E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000002.432550901.000000000329A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFort.dll" vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe	Binary or memory string: OriginalFilenameIRuntimeEvidenceFact.exe< vs EXPORT INVOICE.pdf.exe

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280

Source: EXPORT INVOICE.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0327216B	1_2_0327216B
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03271768	1_2_03271768
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0327B52C	1_2_0327B52C
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032704D0	1_2_032704D0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03270FD8	1_2_03270FD8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273313	1_2_03273313
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032753E8	1_2_032753E8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032753F8	1_2_032753F8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273205	1_2_03273205
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273120	1_2_03273120
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032751B1	1_2_032751B1
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273184	1_2_03273184
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032751C0	1_2_032751C0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273070	1_2_03273070
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03275629	1_2_03275629
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03275638	1_2_03275638
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0327352C	1_2_0327352C
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_032734AF	1_2_032734AF
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03274B38	1_2_03274B38
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03274B48	1_2_03274B48
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0327580B	1_2_0327580B
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03272F79	1_2_03272F79
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273FB1	1_2_03273FB1
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03270F92	1_2_03270F92
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_03273FC0	1_2_03273FC0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0A0C8A90	1_2_0A0C8A90
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_0A0CEFC0	1_2_0A0CEFC0

Source: EXPORT INVOICE.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: EXPORT INVOICE.pdf.exe	Virustotal: Detection: 37%
Source: EXPORT INVOICE.pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

File read: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Jump to behavior

Source: EXPORT INVOICE.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe "C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe"
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7108

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FE.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.evad.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: EXPORT INVOICE.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EXPORT INVOICE.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Core.ni.pdbRSDSD source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Accessibility.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: .pdb08 source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: (P5oLC:\Windows\Microsoft.VisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbH source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb4" source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: np@oVisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERC3FE.tmp.dmp.7.dr

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_00EF23FC push esp; ret		1_2_00EF23FE
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Code function: 1_2_00EF2418 push cs; retf		1_2_00EF2422

Source: initial sample

Static PE information: section name: .text entropy: 7.63374734815

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: EXPORT INVOICE.pdf.exe

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe TID: 7112

Thread sleep time: -45733s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Thread delayed: delay time: 45733

Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Fonts\GILSANUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	12 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EXPORT INVOICE.pdf.exe	37%	Virustotal		Browse
EXPORT INVOICE.pdf.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
EXPORT INVOICE.pdf.exe	100%	Avira	HEUR/AGEN.1202539
EXPORT INVOICE.pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.EXPORT INVOICE.pdf.exe.ef0000.0.unpack	100%	Avira	HEUR/AGEN.1244320	Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.0.unpack	100%	Avira	HEUR/AGEN.1244320	Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.1.unpack	100%	Avira	HEUR/AGEN.1244320	Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.4.unpack	100%	Avira	HEUR/AGEN.1244320	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cndnl	0%	Avira URL Cloud	safe
http://en.wM	0%	Avira URL Cloud	safe
http://www.sakkal.comrmW	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fonts.comW	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cnD	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fonts.comWT	0%	Avira URL Cloud	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.fontbureau.comionm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.typography.netr	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.com;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cndnl	EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.wM	EXPORT INVOICE.pdf.exe, 00000001.00000003.370373493.000000000867D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.comrmW	EXPORT INVOICE.pdf.exe, 00000001.00000003.379986920.000000000864D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.379854422.000000000864E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comW	EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnD	EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comWT	EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.net	EXPORT INVOICE.pdf.exe, 00000001.00000003.371908716.0000000008647000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comionm	EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netr	EXPORT INVOICE.pdf.exe, 00000001.00000003.373268434.0000000008648000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.373229768.0000000008647000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com;	EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371160843.000000000867D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	625078
Start date and time: 12/05/202211:48:04	2022-05-12 11:48:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EXPORT INVOICE.pdf.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.8% (good quality ratio 1.5%) Quality average: 33.8% Quality standard deviation: 38.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 17 Number of non-executed functions: 20
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:49:32	API Interceptor	1x Sleep call for process: EXPORT INVOICE.pdf.exe modified
11:49:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXPORT INVOICE.p_b5f6764852466b593dfad674787e99291849f4a4_5c0e5d72_148dd68c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1180961660191344
Encrypted:	false
SSDEEP:	192:8So+ZrokHBUZMXyaKeCikHKvi/u7s+S274ItV3N:NoGssBUZMXyaO/u7s+X4ItV3N
MD5:	1F31080612E3F6C4532346FCD3D5C016
SHA1:	E42CCD16F84BFF420021EB2BA9DDC537F737FEFC
SHA-256:	0B7453D7AA239FECF7864F1B5810B4F239D115F609136131996FADE243151C30
SHA-512:	A3F6052AD7416A4CEE823CE102D4B70A0CD2776752D9E80DA14F36AAF8403B64BB478A0DA196CF549EA84BD4604F858D75D6F0EEA2FAA9E48C6E64E2E74BF263
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.8.5.4.9.8.0.1.9.8.2.6.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.6.8.5.4.9.8.3.5.4.2.0.2.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.1.1.6.5.9.5.-.5.a.5.9.-.4.3.a.0.-.9.d.c.7.-.4.7.c.7.9.e.6.5.0.9.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.c.a.f.e.2.9.-.b.d.f.a.-.4.b.6.4.-.9.3.1.d.-.8.9.9.1.a.8.1.5.5.e.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.P.O.R.T. .I.N.V.O.I.C.E...p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.R.u.n.t.i.m.e.E.v.i.d.e.n.c.e.F.a.c.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.4.-.0.0.0.1.-.0.0.1.8.-.3.b.2.f.-.d.e.f.8.3.0.6.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.3.a.0.5.7.5.0.3.1.8.a.8.8.8.9.c.8.8.1.7.4.f.9.f.2.7.b.8.2.9.0.0.0.0.0.0.0.0.!.0.0.0.0.e.c.9.d.e.8.9.4.d.7.c.b.0.9.e.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 12 18:49:40 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	259748
Entropy (8bit):	4.124164669491366
Encrypted:	false
SSDEEP:	3072:nO1ljd+p2SN0o9gIOgF5xc0+TUCgUDHoPtk+Dl0dopIXuq2:O16pV0o9RpDqHTjrmtrR0dX
MD5:	27132ED0DF055D722D2EC7D30A3BDDD1
SHA1:	E1849483F307B97C1BE9B2A6DACAFDE31DDE71CD
SHA-256:	BFC754BC356FF8C2723F75F675A88A0409EC663F30208D4C484859717C3A8C94
SHA-512:	D89C84400ADEE3F24E833CE23C7A8DADA0D8242E0E40457AEE0C3979B604121CA73CD5F2D0E1240840EE5A24AB8D5D7EFEB03B224B603CB0A0D376A1313CCA83
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........V}b.....................................'...F..........T.......8...........T............1............... ..........."...................................................................U...........B......P#......GenuineIntelW...........T............V}b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA77.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8452
Entropy (8bit):	3.7133404895699718
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiO56B6YfgSUpvy3MgmfZDYSoCpr989bP0sfOFm:RrlsNiY6B6YoSUpvycgmfNYSKPnfd
MD5:	468747CA40B4B83F9FBB334CD4B3A34D
SHA1:	E53798256597E7463D2E62655E6935F4EC4F12D0
SHA-256:	B73923FC0A208D55F89E62E3FB86058EB8C90884C3EF86A17B13A59FBE0A833C
SHA-512:	EF1C78E9AEE301304FF0E16F83D4055322D1E0855DBE0CB9FC4CD027039F5F251ED4B1B0D437E866D10FCABA644CF7300FDD384E11E6702EEABCEEAA2064977D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4805
Entropy (8bit):	4.563561801184721
Encrypted:	false
SSDEEP:	48:cvIwSD8zsTJgtWI9ILyWgc8sqYjw18fm8M4JgB8zL8Fd+q8vozLMPn0ulZpAdOIk:uITftr3grsqYMCJghKnXlrAQIOd
MD5:	F4BFB7BF17BB4D09E417682C912EE9AC
SHA1:	4DF54B023773CB7754A7D510F1A2A6E87A0C7B19
SHA-256:	FBA7016993C3260F687045760192ED38E4B5997D982685365C70CD12B8779250
SHA-512:	B4563B3E695B5CFDDFF7014ADB27861463172DFD0CA5E264C350065F04AC8AFCFA3562E0ACCA7429DFE3377F04C5F349AE1D52BBF7460E928D88E4932A21CFCE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1512240" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.125237039189151
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	EXPORT INVOICE.pdf.exe
File size:	808448
MD5:	2cf09341b87d20404a6d824305ea5419
SHA1:	ec9de894d7cb09ed3940db31dfc7a39cc1280acd
SHA256:	2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e
SHA512:	db8e247a8192ee53b96ee12a9b1e120e904b58b96f5ea3687d10bda3ea16d479bfe2da0db07b633b35bc03da9665d8ebe13a0e494a481bd88a76c30b79c2dbe9
SSDEEP:	12288:cWRXIfWktOMzKcDOGjBTu2KSgaLfqGC7vh9KBYhLWWZ0u9zfLWt6l/4MKOC6ZEKA:ciXIfWcKwj9wSgajqh7J9K6hLPSu9O
TLSH:	B905BE9872D0B5AECB07C93289545C25A9203C67439AD20B6CC736DFE9BD69ECE041F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{b..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	24e4c69696b2d4cc

Static PE Info

General

Entrypoint:	0x4adaee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627BF1C4 [Wed May 11 17:26:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xada9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x19578	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabaf4	0xabc00	False	0.839913402929	data	7.63374734815	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x19578	0x19600	False	0.0630484144089	data	1.45882239786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xae220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xae688	0x877	PNG image data, 256 x 256, 8-bit colormap, non-interlaced
RT_ICON	0xaef00	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb14a8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb2550	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xc2d78	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xc6fa0	0x5a	data
RT_VERSION	0xc6ffc	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0xc7388	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020 Havy Alegria
Assembly Version	1.0.0.0
InternalName	IRuntimeEvidenceFact.exe
FileVersion	1.0.0.0
CompanyName	Havy Alegria
LegalTrademarks
Comments
ProductName	InnoExtractor
ProductVersion	1.0.0.0
FileDescription	InnoExtractor
OriginalFilename	IRuntimeEvidenceFact.exe

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXPORT INVOICE.pdf.exePID: 7108, Parent PID: 1984

General

Target ID:	1
Start time:	11:49:12
Start date:	12/05/2022
Path:	C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe"
Imagebase:	0xef0000
File size:	808448 bytes
MD5 hash:	2CF09341B87D20404A6D824305EA5419
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5336, Parent PID: 7108

General

Target ID:	7
Start time:	11:49:39
Start date:	12/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280
Imagebase:	0xe20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EXPORT INVOICE.pdf.exePID: 7108, Parent PID: 1984COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	5

Executed Functions

Function 03271768 Relevance: 5.2, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 0327196B
ZO, xrefs: 03271824
?, xrefs: 03271837
?, xrefs: 0327183E

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZO$?$?$J
API String ID: 0-2372238481
Opcode ID: 009da93bf3cc9aa33b522222f67d34e8cfaf21c565de85b4b8da8d4d5d817589
Instruction ID: 8e3d4ff03f4055b60ed92f5877dc4041e3080348792a6fdbfd14718a7712441b
Opcode Fuzzy Hash: 009da93bf3cc9aa33b522222f67d34e8cfaf21c565de85b4b8da8d4d5d817589
Instruction Fuzzy Hash: 01513A74E2420A8FDB08CFA6C9406EEFBF2BF89300F24D56AD519A7254D7349A51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0327B52C Relevance: 1.5, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+@7, xrefs: 0327F095

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: +@7
API String ID: 0-3361449578
Opcode ID: 4571dc71a13f0172db77bff30eecfcbc959068f8232d7033e2147d9aed41c139
Instruction ID: 4dae1cd42743246896c989a50d829eaa2a368672b61b0a6c10f387fc46a85025
Opcode Fuzzy Hash: 4571dc71a13f0172db77bff30eecfcbc959068f8232d7033e2147d9aed41c139
Instruction Fuzzy Hash: 92915870E25209DFDB04CFA9C9555AEFBB2FF89300F248429D406BB364DB349A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03270F92 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d11da0a91085ff01788ff88537f658d32bf19b4c0b6ebf9b54d44b0daa87c9
Instruction ID: 7965941444f4c28ac0d88a02fc6188a00d3a824cbe08a69196292aa6f3a31a2f
Opcode Fuzzy Hash: f1d11da0a91085ff01788ff88537f658d32bf19b4c0b6ebf9b54d44b0daa87c9
Instruction Fuzzy Hash: 7C91F374E142198FCB04CFAAC881AEDFBB2FF89300F14912AD819AB254D775A946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 03270FD8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81172a903ca1724acdc3893225bd3bdebb0454fc7388548419fc4c7dfaa148d9
Instruction ID: 9b77df05c2a135c6ecdd7b1d1bed897f538adc35a7b5d870bec2dfa18c422339
Opcode Fuzzy Hash: 81172a903ca1724acdc3893225bd3bdebb0454fc7388548419fc4c7dfaa148d9
Instruction Fuzzy Hash: 5881D474E152098FCB04CFAAC9806AEFBB2FF89300F14912AD919AB354DB755945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0A0C8A90 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.444358119.000000000A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a0c0000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8170939d2c25ee1d798cf134c9034cb92884ebe0d0e92035799dc6579db18ab2
Instruction ID: 6b7f2a461dd8a71c0702c23a082a25e68eb799abbb9f6acdbc77f2ae59830163
Opcode Fuzzy Hash: 8170939d2c25ee1d798cf134c9034cb92884ebe0d0e92035799dc6579db18ab2
Instruction Fuzzy Hash: 736125B0D0520EEFDB04CFA5D5815AEFBF2EF89300F24942AC506B7254E7749A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0327216B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a1e4933f14c3cc1dc15317d254767674eb2d8ab4801fedc73a386de444d457
Instruction ID: ab5b46c95983e193a44e529f301e7804bd55023b6ec76f0d776e1a184f32de43
Opcode Fuzzy Hash: 76a1e4933f14c3cc1dc15317d254767674eb2d8ab4801fedc73a386de444d457
Instruction Fuzzy Hash: 0031E771E006189BDB18CFAAD8446DEFBF7BFC9300F14C16AD509A6268DB744A96CF40

Uniqueness

Uniqueness Score: -1.00%

Function 032704D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1a659476bfed4771c9a866554d0b967f73fd4c5ade9e7d5876c76fdbf4cef6
Instruction ID: 760577a6c12c638a1f04f3d52ab10d55c35e61481c3ef93b53373aab4cb2f871
Opcode Fuzzy Hash: db1a659476bfed4771c9a866554d0b967f73fd4c5ade9e7d5876c76fdbf4cef6
Instruction Fuzzy Hash: B721BD71E046199BEB58CF6BDC4469EFBF7BFC8304F14C166D808A6254EB3045858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0A0C674C Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A0C7783

Memory Dump Source

Source File: 00000001.00000002.444358119.000000000A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a0c0000_EXPORT INVOICE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 95708691fd5c55ac44d0be4e4cd852bf86b8136bf3207e582b18071c0b96343a
Instruction ID: b2e815704a55e1ba9e74cd71d94625d3399ff42a1c8f859a47dd073394e436cb
Opcode Fuzzy Hash: 95708691fd5c55ac44d0be4e4cd852bf86b8136bf3207e582b18071c0b96343a
Instruction Fuzzy Hash: 425155B8D0525C9FCB50CFA9D584A9EFBF1BB09310F24912AE818BB321E374A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0327BD50 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0327D639

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16fd5ff78dc1d38afe677628fae262ad68968e1d8e8e9a1f1d3f8fe3a1f0274f
Instruction ID: 008ac18ab4311eeea999d43a294da913eaaac919e4b293517919f53cb336e1ec
Opcode Fuzzy Hash: 16fd5ff78dc1d38afe677628fae262ad68968e1d8e8e9a1f1d3f8fe3a1f0274f
Instruction Fuzzy Hash: 5B5103B1D0461C8FDB20DFA4C984BDEBBB5BF45308F1184AAD509BB251DB706A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03277F48 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03277FF7

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f9472d134f2f41c5e60a01feab31f5041c587a51b2f151ceffdd2447f9481fdc
Instruction ID: 427685cf3c0d6ffb4d236f2bd8380e435ce54ee23a4550ed3625f81c4070e60d
Opcode Fuzzy Hash: f9472d134f2f41c5e60a01feab31f5041c587a51b2f151ceffdd2447f9481fdc
Instruction Fuzzy Hash: 8E3198B9D042589FCF10CFA9E584AEEFBF0BB59310F14902AE814B7210D775A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03277F50 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03277FF7

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 47b60a62fb71c86164a501d9d33f38b11d898b6105f82e7112cc016df8cc8b72
Instruction ID: 81c69b262136b0700828cc4ff720c3a4c68f5c7deaeb4789bd9dcea6363faf2f
Opcode Fuzzy Hash: 47b60a62fb71c86164a501d9d33f38b11d898b6105f82e7112cc016df8cc8b72
Instruction Fuzzy Hash: E43177B9D042589FCB10CFA9E584AEEFBF1BB19310F14942AE814B7310D775A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0167D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432139020.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_167d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8798e600780225b54c85843bfa63ff89052d290e19532f6c5eacc1c961b246ca
Instruction ID: c3037c2281f938dbfd4344d5e3d169b338a9203b9c9b8b036a89595ba2eb8258
Opcode Fuzzy Hash: 8798e600780225b54c85843bfa63ff89052d290e19532f6c5eacc1c961b246ca
Instruction Fuzzy Hash: 432103B1504244DFEB15DF54D9C0B2ABF65FF88328F24CA69E9054B206C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0168D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432277046.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9d30245f11617ee38eefcfc3139f5b63aff7dc0decdfb05265a91f03c9e45c
Instruction ID: 43bd3d101e85873e083d89b096122582c8c428f11c9e90403cd2a33ca09224f5
Opcode Fuzzy Hash: dc9d30245f11617ee38eefcfc3139f5b63aff7dc0decdfb05265a91f03c9e45c
Instruction Fuzzy Hash: 13212571608204DFDB15EF54D9C0B26BB61FB84358F20C669D9494B386C336D847CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0168D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432277046.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d472062cf47020c114248108b368b70e2599f7aa62bebfb584467f2c903a21e
Instruction ID: 48a1bb21ad5bda046d85b1633c1fea2f7d20a7143a0c5e4c7a1635a96e464c17
Opcode Fuzzy Hash: 0d472062cf47020c114248108b368b70e2599f7aa62bebfb584467f2c903a21e
Instruction Fuzzy Hash: EB21D3B1504204EFDB01EF94D9D0B26BB65FB84328F24C6A9EA494B386C336D846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0168D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432277046.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08f5c51a10b84adb08514e5a0b9a5cc2779773f80d953d2f568b216de2cdd58
Instruction ID: 75245d8419c8eb3a8eacd7d094ed1a1a05b38a91d6e67021e15d552b44214322
Opcode Fuzzy Hash: e08f5c51a10b84adb08514e5a0b9a5cc2779773f80d953d2f568b216de2cdd58
Instruction Fuzzy Hash: 9521AE755093808FDB03CF24D990B15BF71EB46214F28C6EAD8498B697C33AD84BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 0167D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432139020.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_167d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702fd562b5f93e8e4b2e9ff7baf791e5e7de14944204115b6362cb0f0e05a08
Instruction ID: 7cb70bfa69d8eee2155b912438671a1459c20bd17b508866a6a0bccb111646b9
Opcode Fuzzy Hash: c702fd562b5f93e8e4b2e9ff7baf791e5e7de14944204115b6362cb0f0e05a08
Instruction Fuzzy Hash: DB11AF76504280DFDB12CF54D9C4B1ABF71FB84324F24C6A9D8450B656C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0168D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432277046.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8453f2856e9fffd06841d27046e1044311c887d38c2cdc4125c35467cc6d87
Instruction ID: 1cdd53039cb56d7f06175d9be3cb59b49aff8c7ad32892d54b229328b25ba728
Opcode Fuzzy Hash: 6d8453f2856e9fffd06841d27046e1044311c887d38c2cdc4125c35467cc6d87
Instruction Fuzzy Hash: FD11BB75944284DFCB02DF54C9D0B15BFB1FB84324F28C6A9D9494B796C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03273120 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0
r, xrefs: 03273120

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp$r
API String ID: 0-3482329945
Opcode ID: 8ec7d719f87a4169f5d3e489dec531a49e1ff9c9e934a3595cc2842f817c766c
Instruction ID: 77093d820579ae452f9a1674938c353a5fe95f50d10188d7433107af4eadd0a8
Opcode Fuzzy Hash: 8ec7d719f87a4169f5d3e489dec531a49e1ff9c9e934a3595cc2842f817c766c
Instruction Fuzzy Hash: 6F516CB8D2520ADFCB04CF95D4814AEFBB2FF89340B10D559C216A7204D774DA86DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 03272F79 Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: 3e3eac7e0fa050f7ff5df43d21fb8a074f1046a5992236e007fa041dbfbf0c6c
Instruction ID: b94ea8afa0608c4492a0a6e23f938222cab73752f6e6f143f4604a0d88d4dfbb
Opcode Fuzzy Hash: 3e3eac7e0fa050f7ff5df43d21fb8a074f1046a5992236e007fa041dbfbf0c6c
Instruction Fuzzy Hash: 29A1AD74D10217DFCB04DFA5C88299EFBB1FF89300B18C659C525AB204E734A6A6CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03273070 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: 5a0ef56d27e4e03af199a91b7eb0fdbb0d3ed6f7b461f1aba3d667082e385796
Instruction ID: a9391824b9094975c6675455536935043eb7284daf3c2562f600ef07323b7c46
Opcode Fuzzy Hash: 5a0ef56d27e4e03af199a91b7eb0fdbb0d3ed6f7b461f1aba3d667082e385796
Instruction Fuzzy Hash: 12619D78E2520ADFCB14CF96D8814AEFBB2FF89340F10D569C216A7214D7349A86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03273313 Relevance: 3.9, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: 6372476a85b43228fbc0645474469df77b3639fe087bdd6bd858cbbc088fe645
Instruction ID: 7db7cad113ee8ae930da4ec761085be49e618afeb32a518cc45bd0646d7caf6b
Opcode Fuzzy Hash: 6372476a85b43228fbc0645474469df77b3639fe087bdd6bd858cbbc088fe645
Instruction Fuzzy Hash: CB519F78D2520ADFCB14CF99C8814AEFBB1FF89350B10D659C212A7214D734D986DF94

Uniqueness

Uniqueness Score: -1.00%

Function 03273184 Relevance: 3.9, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: d5568d2c0faeeeaaa6269668fc23e556b04d9f348cd3c6487d99cae82d691dc1
Instruction ID: 5e43d49778048b8aa032e839795c05b794f87109f862a72ce642f77928ee78c1
Opcode Fuzzy Hash: d5568d2c0faeeeaaa6269668fc23e556b04d9f348cd3c6487d99cae82d691dc1
Instruction Fuzzy Hash: 50516C78E2520ADFCB04CF95D4814AEFBB2FF89340B20D959C216A7214D774EA86DF94

Uniqueness

Uniqueness Score: -1.00%

Function 03273205 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: c3261923b07e76b32137ec51119500d05af21c44efe123b01d49f557cec0292b
Instruction ID: be9c2110634755a6f0e8181051f3766b8b0ccc3357a199663b051a7c55f58042
Opcode Fuzzy Hash: c3261923b07e76b32137ec51119500d05af21c44efe123b01d49f557cec0292b
Instruction Fuzzy Hash: 62517D78D2520ADFCB04CF95D4814AEFBB2FF89340B20D659C512A7214D734DA86DF94

Uniqueness

Uniqueness Score: -1.00%

Function 032734AF Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

ZVFp, xrefs: 032731B7
ZVFp, xrefs: 032731CE
ZVFp, xrefs: 032731B0

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ZVFp$ZVFp$ZVFp
API String ID: 0-3154686640
Opcode ID: f23fc95807f050af951236a80d7c70aa1dccecc49babdf12fd022cd6c0806032
Instruction ID: cbf10057936bcef5cf146b3da61212f4c052732094fc2613ccd1a8bee653aab8
Opcode Fuzzy Hash: f23fc95807f050af951236a80d7c70aa1dccecc49babdf12fd022cd6c0806032
Instruction Fuzzy Hash: 06514978E2520ADFCB04CF95D4814AEFBB2FF89340B20D659C216A7214D774EA86DF94

Uniqueness

Uniqueness Score: -1.00%

Function 03275638 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

Ju`, xrefs: 03275739
Ju`, xrefs: 03275732

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: Ju`$Ju`
API String ID: 0-3353033364
Opcode ID: bf0f677397ff0bc0eafd89151096a11691dcfeff23114e2c7cd26c5a225cf827
Instruction ID: f2b4fe35f88bbf868493083a1663c2a1a8a1917d2b02de23de11c6cda95c382e
Opcode Fuzzy Hash: bf0f677397ff0bc0eafd89151096a11691dcfeff23114e2c7cd26c5a225cf827
Instruction Fuzzy Hash: 2A41F6B4E2520ADFCB44CFAAC5815AEFBB2FB89300F24D56AC505B7204D7759A81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 032753F8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

^8, xrefs: 032755A7

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ^8
API String ID: 0-11385890
Opcode ID: 1d60dce52262b111bfa3183df358648b9c179e9257fa8a8d3ff1d3b9c2b456b7
Instruction ID: e0d2f2ac581cda9f38bcb9ce526b76890e42627f02056894f27b31442afc871f
Opcode Fuzzy Hash: 1d60dce52262b111bfa3183df358648b9c179e9257fa8a8d3ff1d3b9c2b456b7
Instruction Fuzzy Hash: F761E270E25619CFCB08CFAAD9804DEFBF2FB89311F24956AD41AB7214D7709A418F54

Uniqueness

Uniqueness Score: -1.00%

Function 032753E8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

^8, xrefs: 032755A7

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID: ^8
API String ID: 0-11385890
Opcode ID: b03631b9a6ad2271936e3c9c07334c3de6875768c3e654c3b2916c91739bb8cc
Instruction ID: 88c3d1cbd847441f623a8eaa19daff9444dcf7bc326c990bee3387f2dac942f1
Opcode Fuzzy Hash: b03631b9a6ad2271936e3c9c07334c3de6875768c3e654c3b2916c91739bb8cc
Instruction Fuzzy Hash: 9C51F574E25619CFCB08CFAAD9805DEFBF2FF89210F24956AD416B7314D3349A428B54

Uniqueness

Uniqueness Score: -1.00%

Function 0A0CEFC0 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.444358119.000000000A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a0c0000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eceeb0057e0912c6751a71686d44efb372e9e40aa0e28a889390e0d87962cba4
Instruction ID: 3a5b4512150042ae86da8e186706a07856d0b3a7c1f0fe84cba9c6a1ae056ca5
Opcode Fuzzy Hash: eceeb0057e0912c6751a71686d44efb372e9e40aa0e28a889390e0d87962cba4
Instruction Fuzzy Hash: 1E025A35B1061A9FCB58CF69C488A6DB7F3BF88610B168169E906DB371EB31EC01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03273FC0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbc3df6889238fb68e72777bb9994e8b193240ff00fa3b75c8ac4eff49fdac3
Instruction ID: c3817d8dc977ee68a07fa8f028074fd75224475b190f861ff823d03e960dd542
Opcode Fuzzy Hash: cdbc3df6889238fb68e72777bb9994e8b193240ff00fa3b75c8ac4eff49fdac3
Instruction Fuzzy Hash: 5A81D074A24219CFCB48DF9AC58489EFBF2FF89350F248559D415AB324D370AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03273FB1 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c887da24bba9c96e030fd2fca5981832e0bb056f37ac6441504e44b77e8295e9
Instruction ID: b553824912f5a0c9a782d3add3175f476643ec6d7060ed2c2c46d02c85eafee1
Opcode Fuzzy Hash: c887da24bba9c96e030fd2fca5981832e0bb056f37ac6441504e44b77e8295e9
Instruction Fuzzy Hash: 9681C074A20219CFCB48DF9AC58499EFBF2FF89310F14856AD415AB325D370AA82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03274B48 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831e34f874c9be3c1dc3d87f5ccf161bff435efa54cdbaa84b6f948052360fc3
Instruction ID: e9f220e2759ff2f6016841da9a6b3e133046b95e62805e8b049a7c5e2a5bc15e
Opcode Fuzzy Hash: 831e34f874c9be3c1dc3d87f5ccf161bff435efa54cdbaa84b6f948052360fc3
Instruction Fuzzy Hash: 747102B4D2520ACFCB04DFAAD4819AEFBB1FF88310F15955AD415A7314D730A982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03274B38 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45adfd4da072dec7560fe9b1ff5cf1b797f48c84f033169de243251d7c000c3
Instruction ID: a3b4db4cde2e8f51e3063fedc351b20885ef8a82c35395b2f691dbe8781888a8
Opcode Fuzzy Hash: e45adfd4da072dec7560fe9b1ff5cf1b797f48c84f033169de243251d7c000c3
Instruction Fuzzy Hash: B261F274D2420ACFCB04DFAAD4849AEFBB2FF89310F15955AD415A7214D730A982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0327352C Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1845906333a873c117aee4a7a7f606bbacf2f89f6ed3111739cffd9b48c490ed
Instruction ID: 6614ccf6d064d1e0f632cac3f6857a026b5cb648b4e64e65386c19b4066f3ded
Opcode Fuzzy Hash: 1845906333a873c117aee4a7a7f606bbacf2f89f6ed3111739cffd9b48c490ed
Instruction Fuzzy Hash: 44518774E1121ACFCB04CFA9C9829AEFBF1BF89310F188569C515AB320E7309A51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032751B1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0431d3c6f1a274af58a1bc9640f2bec9b71a965dc906a9e3a0cc453ca8ecd12
Instruction ID: 8383f55d7b50c9b9763a64964a3e62464583159708a418ed1bef29589f08e236
Opcode Fuzzy Hash: e0431d3c6f1a274af58a1bc9640f2bec9b71a965dc906a9e3a0cc453ca8ecd12
Instruction Fuzzy Hash: 5841FB70E2560A9FCB04CFAAC5415AEFBF2FF89300F24C46AC519A7254E7749A81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 032751C0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e65a57b9980a84e942fa79f090828e12ca79ff7a7fe1739231627036045209
Instruction ID: 4dbff422eb760b124fd2c7f7d12080a25b67cc4eef011db0dbe059872a753e95
Opcode Fuzzy Hash: 12e65a57b9980a84e942fa79f090828e12ca79ff7a7fe1739231627036045209
Instruction Fuzzy Hash: D141E970E2560A9FCB44CFEAC5415AEFBF2BF89300F24D46AC519A7214E7749681CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0327580B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc810fe813d42696d540dc92dc62021619602e3fefc1f9025a039a05f773ae0
Instruction ID: 8015fa308fd6a4ab97901de64410bf0bb1ad18558208377268888ddc2f4570d1
Opcode Fuzzy Hash: 0bc810fe813d42696d540dc92dc62021619602e3fefc1f9025a039a05f773ae0
Instruction Fuzzy Hash: 70415D71E156198BEB28DF6B9D4479EFAF3BFC9300F14C1BA850CA6214EB300A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 03275629 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.432498705.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3270000_EXPORT INVOICE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6410fb6487b7081d771e6a787b908d0197400a633687140960aa6abae9392e
Instruction ID: 4bfd6213c040d133e97ec132438b6fc90ded3745cab92d5da1a45da9a106f4a0
Opcode Fuzzy Hash: 9c6410fb6487b7081d771e6a787b908d0197400a633687140960aa6abae9392e
Instruction Fuzzy Hash: 2E4105B4E2520ADFCB04CFAAC5815AEFBF2BB89300F24D56AC405B7204D7359A81CF94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EXPORT INVOICE.pdf.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXPORT INVOICE.p_b5f6764852466b593dfad674787e99291849f4a4_5c0e5d72_148dd68c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA77.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA1.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXPORT INVOICE.pdf.exePID: 7108, Parent PID: 1984

General

Chronological Activities

Analysis Process: WerFault.exePID: 5336, Parent PID: 7108

Windows Analysis Report
EXPORT INVOICE.pdf.scr

Function 03271768 Relevance: 5.2, Strings: 4, Instructions: 159
COMMON

Function 0327B52C Relevance: 1.5, Strings: 1, Instructions: 225
COMMON

Function 0A0C674C Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Function 0327BD50 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Function 03277F48 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Function 03277F50 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON